Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden objects in registry/redirecting from google search.


  • This topic is locked This topic is locked
8 replies to this topic

#1 lorensfish

lorensfish

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 July 2009 - 04:59 PM

Hi - I am at my wits end. 
I have an HP pavillion notebook
Windows XP Media Edition Service Pak 3
Mozilla Firefox 3.0
Internet Explorer 7 (I keep to work in quicken)
Spyware Doctor 6, Malwarebytes, Ad Aware Aniversery Edition, Hijack This, and recently added Avira.
I have been trying to fix this problem for the past several days.  The first time I saw this problem was a couple months ago, I downloaded Malwarebytes, ran it and the problem appeared to have gone away just like that!!Well its back and its much worse.  The first signs were that my internet seem to get sluggish and at some points stuck.  Then Spy Dr Intelliguard started giving me several alerts about malicious or bad files trying to start which I blocked as recommended.  I did a scan with Spy Dr and it found nothing.  Then I started getting an alert regarding trojan.tdsserv and no matter if I blocked it or quarantined it, the alert continued.  I tried to run Malwarebytes and it would not open.  I found and downloaded Avira and did a scan, which found and removed several items (see log below).  Rebooted computer, Malwalbytes now worked, ran it and ir found nothing - however, the alert for trojan.tdsserv continued with Spy Dr.  I uninstalled and reinstalled Spy Dr. and the alert has not reappeared.  I am still having internet issues - I now cannot search on google (the page just gets stuck) and before that links clicked on from google were being redirect to ad pages. Avira has also alerted me to HEUR/HTML.Malware which I have quarantined.

This is the log after the first scan on 7/10 with Avira



Avira AntiVir Premium
Report file date: Friday, July 10, 2009 14:33

Scanning for 1503766 virus strains and unwanted programs.

Licensee : Cindy Jorgensen
Serial number : 2202598961-PEPWE-0001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CINDY

Version information:
BUILD.DAT : 9.0.0.442 21381 Bytes 6/9/2009 16:45:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 7/10/2009 21:16:44
AVSCAN.DLL : 9.0.3.0 40705 Bytes 7/10/2009 21:16:41
LUKE.DLL : 9.0.3.2 209665 Bytes 7/10/2009 21:17:29
LUKERES.DLL : 9.0.2.0 12033 Bytes 7/10/2009 21:17:29
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:14:13
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 21:15:30
ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 7/8/2009 21:15:40
ANTIVIR3.VDF : 7.1.4.219 359936 Bytes 7/10/2009 21:15:45
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/10/2009 21:16:14
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/10/2009 21:16:13
AESCN.DLL : 8.1.2.3 127347 Bytes 7/10/2009 21:16:11
AERDL.DLL : 8.1.2.2 438642 Bytes 7/10/2009 21:16:10
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/10/2009 21:16:07
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/10/2009 21:16:04
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/10/2009 21:16:02
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/10/2009 21:15:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/10/2009 21:15:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 7/10/2009 21:15:48
AECORE.DLL : 8.1.6.12 180599 Bytes 7/10/2009 21:15:47
AEBB.DLL : 8.1.0.3 53618 Bytes 7/10/2009 21:15:45
AVWINLL.DLL : 9.0.0.3 18177 Bytes 7/10/2009 21:16:50
AVPREF.DLL : 9.0.0.1 43777 Bytes 7/10/2009 21:16:38
AVREP.DLL : 8.0.0.3 155905 Bytes 7/10/2009 21:16:16
AVREG.DLL : 9.0.0.0 36609 Bytes 7/10/2009 21:16:39
AVARKT.DLL : 9.0.0.3 292609 Bytes 7/10/2009 21:16:19
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 7/10/2009 21:16:30
SQLITE3.DLL : 3.6.1.0 326401 Bytes 7/10/2009 21:17:45
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 7/10/2009 21:17:42
NETNT.DLL : 9.0.0.0 11521 Bytes 7/10/2009 21:17:30
RCIMAGE.DLL : 9.0.0.28 2623745 Bytes 7/10/2009 21:10:35
RCTEXT.DLL : 9.0.37.0 90369 Bytes 7/10/2009 21:10:36

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, July 10, 2009 14:33

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group
[INFO] The registry entry is invisible.
'9614' objects were checked, '5' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process '1stClock.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'PSFree.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'DrvIcon.exe' - '1' Module(s) have been scanned
Scan process 'nmctxth.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'HP Wireless Assistant.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'nmsrvc.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'DkService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
49 processes with 49 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Cindy J\Application Data\pridl\pridl.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Documents and Settings\Cindy J\Local Settings\Temp\rsxcomeawn.tmp
[0] Archive type: RAR SFX (self extracting)
--> MsgUpdate.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.ona adware or spyware
--> IgfxSys.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.omz adware or spyware
--> phuninst.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.onb adware or spyware
C:\Documents and Settings\Cindy J\My Documents\Downloads\media_player_update.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Documents and Settings\Cindy J\My Documents\Downloads\setup.exe
--> Object
[DETECTION] Contains recognition pattern of the WORM/Koobface.UK worm
C:\Documents and Settings\Cindy J\My Documents\Incomplete\T-5162854-rock me right [club mix].mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\Albert Hammond, Jr. - 101.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\christmas canon trans sibrian CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\Ida Maria - Keep Me Warm .mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\jealous of moon nickel creek.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\oiche chiun enya.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\single fins & safety pins HIT TOP50.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\treeology shady bard (320k stereo).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\treeology shady bard - best track ever.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Cindy J\My Documents\My Music\winter wonderland peggy lee(1).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Program Files\AnswersThatWork\Troubleshooter\BACKUP\UltimateTroubleshooter.exe
[DETECTION] Is the TR/Agent.1323008.D Trojan
C:\Program Files\Common Files\supportsoft\bin\ssmail.dll
[DETECTION] Is the TR/Ransom.Hexzone.agn.4 Trojan

Beginning disinfection:
C:\Documents and Settings\Cindy J\Application Data\pridl\pridl.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '4ac0be12.qua'!
C:\Documents and Settings\Cindy J\Local Settings\Temp\rsxcomeawn.tmp
[NOTE] The file was moved to '4acfbe13.qua'!
C:\Documents and Settings\Cindy J\My Documents\Downloads\media_player_update.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4abbbe05.qua'!
C:\Documents and Settings\Cindy J\My Documents\Downloads\setup.exe
[NOTE] The file was moved to '4acbbe05.qua'!
C:\Documents and Settings\Cindy J\My Documents\Incomplete\T-5162854-rock me right [club mix].mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4a8cbdcd.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\Albert Hammond, Jr. - 101.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ab9be0d.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\christmas canon trans sibrian CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ac9be09.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\Ida Maria - Keep Me Warm .mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ab8be05.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\jealous of moon nickel creek.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ab8be06.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\oiche chiun enya.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ababe0a.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\single fins & safety pins HIT TOP50.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ac5be0b.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\treeology shady bard (320k stereo).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4abcbe18.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\treeology shady bard - best track ever.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4944bef1.qua'!
C:\Documents and Settings\Cindy J\My Documents\My Music\winter wonderland peggy lee(1).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4ac5be10.qua'!
C:\Program Files\AnswersThatWork\Troubleshooter\BACKUP\UltimateTroubleshooter.exe
[DETECTION] Is the TR/Agent.1323008.D Trojan
[NOTE] The file was moved to '4acbbe14.qua'!
C:\Program Files\Common Files\supportsoft\bin\ssmail.dll
[DETECTION] Is the TR/Ransom.Hexzone.agn.4 Trojan
[NOTE] The file was moved to '4ac4be1b.qua'!


End of the scan: Friday, July 10, 2009 15:16
Used time: 42:22 Minute(s)

The scan has been canceled!

8868 Scanned directories
164710 Files were scanned
18 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
16 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
164690 Files not concerned
6946 Archives were scanned
2 Warnings
18 Notes
9614 Objects were scanned with rootkit scan
5 Hidden objects were found

This is the second scan with Avira on 7/10 (first one was interrupted)



Avira AntiVir Premium
Report file date: Friday, July 10, 2009 15:17

Scanning for 1503766 virus strains and unwanted programs.

Licensee : Cindy Jorgensen
Serial number : 2202598961-PEPWE-0001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CINDY

Version information:
BUILD.DAT : 9.0.0.442 21381 Bytes 6/9/2009 16:45:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 7/10/2009 21:16:44
AVSCAN.DLL : 9.0.3.0 40705 Bytes 7/10/2009 21:16:41
LUKE.DLL : 9.0.3.2 209665 Bytes 7/10/2009 21:17:29
LUKERES.DLL : 9.0.2.0 12033 Bytes 7/10/2009 21:17:29
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:14:13
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 21:15:30
ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 7/8/2009 21:15:40
ANTIVIR3.VDF : 7.1.4.219 359936 Bytes 7/10/2009 21:15:45
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/10/2009 21:16:14
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/10/2009 21:16:13
AESCN.DLL : 8.1.2.3 127347 Bytes 7/10/2009 21:16:11
AERDL.DLL : 8.1.2.2 438642 Bytes 7/10/2009 21:16:10
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/10/2009 21:16:07
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/10/2009 21:16:04
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/10/2009 21:16:02
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/10/2009 21:15:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/10/2009 21:15:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 7/10/2009 21:15:48
AECORE.DLL : 8.1.6.12 180599 Bytes 7/10/2009 21:15:47
AEBB.DLL : 8.1.0.3 53618 Bytes 7/10/2009 21:15:45
AVWINLL.DLL : 9.0.0.3 18177 Bytes 7/10/2009 21:16:50
AVPREF.DLL : 9.0.0.1 43777 Bytes 7/10/2009 21:16:38
AVREP.DLL : 8.0.0.3 155905 Bytes 7/10/2009 21:16:16
AVREG.DLL : 9.0.0.0 36609 Bytes 7/10/2009 21:16:39
AVARKT.DLL : 9.0.0.3 292609 Bytes 7/10/2009 21:16:19
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 7/10/2009 21:16:30
SQLITE3.DLL : 3.6.1.0 326401 Bytes 7/10/2009 21:17:45
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 7/10/2009 21:17:42
NETNT.DLL : 9.0.0.0 11521 Bytes 7/10/2009 21:17:30
RCIMAGE.DLL : 9.0.0.28 2623745 Bytes 7/10/2009 21:10:35
RCTEXT.DLL : 9.0.37.0 90369 Bytes 7/10/2009 21:10:36

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, July 10, 2009 15:17

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group
[INFO] The registry entry is invisible.
'9615' objects were checked, '5' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process '1stClock.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'PSFree.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'DrvIcon.exe' - '1' Module(s) have been scanned
Scan process 'nmctxth.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'HP Wireless Assistant.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'nmsrvc.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'DkService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP496\A0096496.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP499\A0100554.dll
[DETECTION] Is the TR/Trash.Gen Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP496\A0096496.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a87d508.qua'!
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP499\A0100554.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a88d508.qua'!


End of the scan: Friday, July 10, 2009 16:55
Used time: 1:17:08 Hour(s)

The scan has been done completely.

15328 Scanned directories
458594 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
458590 Files not concerned
10070 Archives were scanned
2 Warnings
4 Notes
9615 Objects were scanned with rootkit scan
5 Hidden objects were found

TO BE CONTINUED.......... :thumbsup:

Edited by lorensfish, 11 July 2009 - 06:40 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:02 AM

Posted 11 July 2009 - 06:40 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 lorensfish

lorensfish
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 July 2009 - 07:03 PM

This is the rootkit search done today by Avira showing 11 hidden objects:



Avira AntiVir Premium
Report file date: Saturday, July 11, 2009 16:53

Scanning for 1515293 virus strains and unwanted programs.

Licensee : Cindy Jorgensen
Serial number : 2202598961-PEPWE-0001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Cindy J
Computer name : CINDY

Version information:
BUILD.DAT : 9.0.0.442 21381 Bytes 6/9/2009 16:45:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 7/10/2009 21:16:44
AVSCAN.DLL : 9.0.3.0 40705 Bytes 7/10/2009 21:16:41
LUKE.DLL : 9.0.3.2 209665 Bytes 7/10/2009 21:17:29
LUKERES.DLL : 9.0.2.0 12033 Bytes 7/10/2009 21:17:29
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:14:13
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 21:15:30
ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 7/8/2009 21:15:40
ANTIVIR3.VDF : 7.1.4.220 504320 Bytes 7/11/2009 19:54:20
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/10/2009 21:16:14
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/10/2009 21:16:13
AESCN.DLL : 8.1.2.3 127347 Bytes 7/10/2009 21:16:11
AERDL.DLL : 8.1.2.2 438642 Bytes 7/10/2009 21:16:10
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/10/2009 21:16:07
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/10/2009 21:16:04
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/10/2009 21:16:02
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/10/2009 21:15:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/10/2009 21:15:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 7/10/2009 21:15:48
AECORE.DLL : 8.1.6.12 180599 Bytes 7/10/2009 21:15:47
AEBB.DLL : 8.1.0.3 53618 Bytes 7/10/2009 21:15:45
AVWINLL.DLL : 9.0.0.3 18177 Bytes 7/10/2009 21:16:50
AVPREF.DLL : 9.0.0.1 43777 Bytes 7/10/2009 21:16:38
AVREP.DLL : 8.0.0.3 155905 Bytes 7/10/2009 21:16:16
AVREG.DLL : 9.0.0.0 36609 Bytes 7/10/2009 21:16:39
AVARKT.DLL : 9.0.0.3 292609 Bytes 7/10/2009 21:16:19
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 7/10/2009 21:16:30
SQLITE3.DLL : 3.6.1.0 326401 Bytes 7/10/2009 21:17:45
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 7/10/2009 21:17:42
NETNT.DLL : 9.0.0.0 11521 Bytes 7/10/2009 21:17:30
RCIMAGE.DLL : 9.0.0.28 2623745 Bytes 7/10/2009 21:10:35
RCTEXT.DLL : 9.0.37.0 90369 Bytes 7/10/2009 21:10:36

Configuration settings for the scan:
Jobname.............................: Rootkit search
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avp
Logging.............................: high
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Expanded search settings............: 0x00300922

Start of the scan: Saturday, July 11, 2009 16:53

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\uac
[INFO] The registry entry is invisible.
'394060' objects were checked, '11' hidden objects were found.


End of the scan: Saturday, July 11, 2009 16:54
Used time: 01:09 Minute(s)

The scan has been done completely.

0 Scanned directories
0 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
0 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes
394060 Objects were scanned with rootkit scan
11 Hidden objects were found

OK I WILL FOLLOW YOUR INSTRUCTIONS AND REPORT BACK TO YOU ASAP

THANK YOU ........ CINDY, :thumbsup:

#4 lorensfish

lorensfish
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 July 2009 - 07:19 PM

OK ..... I downloaded Smitfruadfix.exe and tried to run it and I got the following error:

Smitfraudfix.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

More information: Error signature:

AppName: smitfraudfix.exe AppVer: 0.0.0.0 ModName: smitfraudfix.exe
ModVer: 0.0.0.0 Offset: 00001000

Technical information: The following files will be included in this error report
C:\DOCUME~1\CINDYJ~1\LOCALS~1\Temp\e8d9_appcompat.txt

I did a shutdown and restart and tried again, got the same result.

:thumbsup:

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:02 AM

Posted 11 July 2009 - 07:43 PM

Let's try SDFix and we can return to SmitFraudFix.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 lorensfish

lorensfish
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 12 July 2009 - 12:50 PM

HI - I have spent the last hour and a half trying to get the SDfix to work. This is what happened:

As per your instructions I went to "how to use SDfix" and followed the instructions to the letter, however, I can only get as far as #5.

When I double click on the SDfix.exe icon the "open file...." box opens, I click on the RUN button and then I get my animated wait icon for about 15 seconds and then nothing.

The window showing SDfix being extracted into the C:\SDFix folder does not appear and upon checking the folder is not there. I have tried over and over again deleting and starting from scratch to no avail. This includes using ccleaner and cleaning IE and firefox prior to starting over.

NOTE: Every time I restarted my computer I received these error messages
  • ctfmom.exe - Ending program please wait
  • explorer.exe is not responding
I had to end explorer.exe in order to restart my computer.

I am so frustrated - Thank you for helping.

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:02 AM

Posted 12 July 2009 - 04:12 PM

With the problem we are having with these tools, I would recommend going straight to the HJT forum. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes Cindy - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 lorensfish

lorensfish
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 14 July 2009 - 12:04 PM

Ok I will continue on in the direction you are sending me.

Thank you so much for all the help so far. I really appreciate it. :thumbsup:

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:02 AM

Posted 14 July 2009 - 04:17 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/241487/i-do-not-know-what-i-am-infected-with/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users